DDOS attack Microsoft - Windows NT

This is a discussion on DDOS attack Microsoft - Windows NT ; Mark Dodel wrote:
>
> That is simply not true. Windows is setup from the get go for little
> security. Microsoft has builtin a number of backdoors so they can
> access your system (they of course claim its ...

Re: DDOS attack Microsoft

Mark Dodel wrote:

<>
> That is simply not true. Windows is setup from the get go for little
> security. Microsoft has builtin a number of backdoors so they can
> access your system (they of course claim its not anything insidious),
> and these are exploitable once discovered. Why are mail attachments
> automatically opened and run. Why are file extensions not displayed
> by default for the people who are too stupid to click on anything that
> someone tells them to. The users are not the problem (unless you
> consider their constant belief of Microsoft's marketing lies),
> Microsoft is. Instead of putting out patches that are just bandaids,
> they should fix the damn problems with their software.
>
> As to the security through obscurity claim, that is a great point.
> People should have multiple platforms available so that when Windows
> is down with the latest virus/worm/exploit they can still be running.
> I have no problems here, as I wouldn't let a Windows machine near the
> internet for any length of time.
>
> Mark
>
> --
> From the eComStation of Mark Dodel

An interesting contradiction. Even from within Microsoft's Windows lines,
Windows 9X is the least secure but the easiest to use. Of course, in the
overall process of dumbing down, all sorts of funny and quirky little avenues
open up and they can be exploited at the expense of security. Anybody still
remember using Pine for e-mails? How about the command prompt? Or
*.bat files and menus? Or in Windows 9X, the unending complaints of the
inadvertant passworded log on? Don't hear the Windows NT, 2000 or XP
users complaining even though their own arrogance while working behind
their (and mine) firewalls, security blankets, etc., had created a false sense
of security. Anybody want to go back to assembler?

Re: DDOS attack Microsoft

> Alan Connor scribbled:
>> On Sun, 07 Sep 2003 15:02:56 GMT, Leythos wrote:
>> Linux is no more secure than Windows, it's just less of a target and
>> has less exposure to the people that want to take down MS.
>> The problem is not MS, it's the way people use the product and the
>> complete ignorance of it's users/installers. We've been installing
>> Windows in industrial and office locations for more than 10 years
>> without a single instance of a virus or compromise in any station.
>> It's all in knowing how to secure your OS, even if it's Linux, SCO,
>> AIX, OS/2, Windows, etc...
> The above is, simply, garbage.
> UNIX-like OSs were created to do real work in the real world.

No it isn't.....

Have *YOU* eyeballed the code, found this weeks Linux flaws and
vulnerabilities and fixed them? Or do you rely on others doing that for
you, or worst yet, believe that because you're running Linux they simply
dont and *CANT* exist?

Open source critics also argue that open source can lead to a false
sense of security. They say that just because the source code is
available doesn't guarantee that anyone is reading it. Nor does it mean
that all the bugs have been found and fixed. Many users install and use
open source software without ever looking at the code. They assume
someone else has already scanned it for possible vulnerabilities.
Undetected bugs have lingered in some popular open source packages for
years. This is a legitimate concern.
But make no mistake, simply being open source is no guarantee of
security.
Elias Levy, "Wide Open Source"http://online.securityfocus.com/news/19

Before I get flamed for this, please understand that a holy war, "Linux
uber alles" of sorts, is a self-defeating strategy. I hope that there
is a healthy "silent majority" of the open source community (that why I
actually am writing this FAQ) who are just writing code as best they
can, and/or submitting patches bug reports. But that does not mean that
we can just ignore the ranting and raving of the zealots. But the public
tend to define the open source community in terms of its most outspoken
members which in this particular case means zealots...http://www.softpanorama.org/OSS/Bla_...ymondism.shtml

Re: DDOS attack Microsoft

"Alan Connor" wrote in message
news:8%I6b.2581$PE6.2362@newsread3.news.pas.earthl ink.net...
> On Sun, 07 Sep 2003 15:02:56 GMT, Leythos wrote:
> >
> >
> > In article ,
> > madodelNOSPAM@ptd.net says...
> >> On Sun, 7 Sep 2003 11:57:45 UTC, "Manoj Paul Joseph"
> >> wrote:
> >>
> >> -> > Nice to note that it was linux based servers that saved M$ though
;-)
> >> -> Why Linux based servers?
> >> -> Anyone any idea?
[snip]
> > The problem is not MS, it's the way people use the product and the
> > complete ignorance of it's users/installers. We've been installing
> > Windows in industrial and office locations for more than 10 years
> > without a single instance of a virus or compromise in any station. It's
> > all in knowing how to secure your OS, even if it's Linux, SCO, AIX,
> > OS/2, Windows, etc...
> >
>
> The above is, simply, garbage.
>
> UNIX-like OSs were created to do real work in the real world.
>
> M$ Oss were created by self-involved game-players who are STILL trying
> to turn the computer/internet into a rec-room and shopping mall.
>
> (unfortuanetely, too many linux distros are following their lead)
>
> Compared to M$, *nix systems are a miracle of efficiency,stability, and
> securtity.

[this spam is unintentional - I do not know which group the original poster
reads]

This is crap. Try putting a stock RedHat system on the web for a few days
without modifying anything after the install and see how long it takes until
it is compromized! Even back on version 6 the machine only lasted 2 days
without being compramized on a dial up network. Now, with broadband
allowing much more nefarious activity to occur before you can catch things,
I would not like to try this experiment but I am told that you can expect to
be compramized in an hour or two.

RedHat used to [version 6] install all servers by default and no firewall
and the "experts" would bag the users for "not securing their systems".

But if these same users installed a stock Microsoft OS on their computer and
it was compromized these same RedHat/linux zealots would blame the Microsoft
for not distributing a secure system rather that the users for not securing
the system. This demonstrates some of the hypocracy eminaning from some
people.

Furthermore I am continually being sent security notices from RedHat for
bugs found in the various pieces of software in their OS. Yet the critical
updates from windows seem far fewer. So even though there are heaps more
people trying to target Microsoft they apparently find fewer holes than
linux/open source software.

Don't blame M$ for sys admin errors just as you wouldn't expect people to
blame RedHat for system admin errors.

Re: DDOS attack Microsoft

On Sun, 07 Sep 2003 23:50:13 +0000, User wrote:
> This is crap. Try putting a stock RedHat system on the web for a few days
> without modifying anything after the install and see how long it takes until
> it is compromized!

Pure nonsense from someone totally unfamiliar with Red Hat and too
ignorant of Linux to even have executed on a fresh RH-9 installation:

$ netstat -a | grep LISTEN

And I don't even like Red Hat and won't use it.

Re: DDOS attack Microsoft

On Mon, 8 Sep 2003 10:47:37 +1200, Max Burke wrote:
>
>
>> Alan Connor scribbled:
>
>>> On Sun, 07 Sep 2003 15:02:56 GMT, Leythos wrote:
>>> Linux is no more secure than Windows, it's just less of a target and
>>> has less exposure to the people that want to take down MS.
>>> The problem is not MS, it's the way people use the product and the
>>> complete ignorance of it's users/installers. We've been installing
>>> Windows in industrial and office locations for more than 10 years
>>> without a single instance of a virus or compromise in any station.
>>> It's all in knowing how to secure your OS, even if it's Linux, SCO,
>>> AIX, OS/2, Windows, etc...
>
>> The above is, simply, garbage.
>> UNIX-like OSs were created to do real work in the real world.
>
> No it isn't.....
>

Yes it is. I know LOTS of people who run linux, and they never have any
problems.

I know lots of people that run M$ and they are ALWAYS having problems.

Sorry, but I trust the evidence of my experience over any alleged evidence
provided by a M$ weenie.

Re: DDOS attack Microsoft

On Sun, 07 Sep 2003 23:50:13 GMT, User wrote:
>
>
> "Alan Connor" wrote in message
> news:8%I6b.2581$PE6.2362@newsread3.news.pas.earthl ink.net...
>> On Sun, 07 Sep 2003 15:02:56 GMT, Leythos wrote:
>> >
>> >
>> > In article ,
>> > madodelNOSPAM@ptd.net says...
>> >> On Sun, 7 Sep 2003 11:57:45 UTC, "Manoj Paul Joseph"
>> >> wrote:
>> >>
>> >> -> > Nice to note that it was linux based servers that saved M$ though
> ;-)
>> >> -> Why Linux based servers?
>> >> -> Anyone any idea?
> [snip]
>> > The problem is not MS, it's the way people use the product and the
>> > complete ignorance of it's users/installers. We've been installing
>> > Windows in industrial and office locations for more than 10 years
>> > without a single instance of a virus or compromise in any station. It's
>> > all in knowing how to secure your OS, even if it's Linux, SCO, AIX,
>> > OS/2, Windows, etc...
>> >
>>
>> The above is, simply, garbage.
>>
>> UNIX-like OSs were created to do real work in the real world.
>>
>> M$ Oss were created by self-involved game-players who are STILL trying
>> to turn the computer/internet into a rec-room and shopping mall.
>>
>> (unfortuanetely, too many linux distros are following their lead)
>>
>> Compared to M$, *nix systems are a miracle of efficiency,stability, and
>> securtity.
>
>
> [this spam is unintentional - I do not know which group the original poster
> reads]
>
> This is crap. Try putting a stock RedHat system on the web for a few days
> without modifying anything after the install and see how long it takes until
> it is compromized!

Well, Redsnot is hardly representative of linux. That's one of the M$ wannabee
distros.

Re: DDOS attack Microsoft

"Alan Connor" wrote in message
news:aDS6b.3063$PE6.2083@newsread3.news.pas.earthl ink.net...
> On Mon, 8 Sep 2003 10:47:37 +1200, Max Burke wrote:
> >
> >
> >> Alan Connor scribbled:
> >
> >>> On Sun, 07 Sep 2003 15:02:56 GMT, Leythos wrote:
> >>> Linux is no more secure than Windows, it's just less of a target and
> >>> has less exposure to the people that want to take down MS.
> >>> The problem is not MS, it's the way people use the product and the
> >>> complete ignorance of it's users/installers. We've been installing
> >>> Windows in industrial and office locations for more than 10 years
> >>> without a single instance of a virus or compromise in any station.
> >>> It's all in knowing how to secure your OS, even if it's Linux, SCO,
> >>> AIX, OS/2, Windows, etc...
> >
> >> The above is, simply, garbage.
> >> UNIX-like OSs were created to do real work in the real world.
> >
> > No it isn't.....
> >
>
>
> Yes it is. I know LOTS of people who run linux, and they never have any
> problems.
>
> I know lots of people that run M$ and they are ALWAYS having problems.
>
> Sorry, but I trust the evidence of my experience over any alleged evidence
> provided by a M$ weenie.
>
>
> M$ users are to computers what Bush it to terrorism:
>
> Their take on the subject is worthless.

This kind of comment only demonstrates you perceptions and biases. Your ego
at your ability is more than a match for windows users. Deriding others
does not prove your point.

Tell me what is inherent in the security model used in Linux that makes it
so much better than windows NT, 2000 etc

Re: DDOS attack Microsoft

As Noi so eloquently gibbered on Sun, 07 Sep 2003 at 17:55 GMT:
> On Sun, 07 Sep 2003 15:08:11 +0000, Sinister Midget without thinking
> wrote:
>
>> As Colin Wilson so eloquently gibbered on Sun, 07 Sep 2003 at 11:48 GMT:
>>
> [snip]
>> The trick of hiding behind linux servers was for a later attack. That
>> was "coincidence"(tm) because it was someone they simply contracted
>> with, without making any effort to check what they were running.
>>
>>
> I doubt that MS was naive enough that it didn't know the kind of servers
> they would hide behind.
>
> [snip]

Either I needed to use or you needed to parse the
next paragraph. And I quote:

"That's how you make billions in big business: by not checking
everything you're about to do and the background on those you're about
to do it with."

--
Linux: Because life is too short to spend it rebooting.

Re: DDOS attack Microsoft

MMMMMmmmmmm .....

Linux supporter?

What sort of intallation did you do a netstat on? Server or Workstation?
Thats right you have to be the network administrator even before you can
install the operating system.

You're right though. I haven't installed RedHat 9 (yet). If I spent my
time reinstalling the operating system each time RedHat came out with a new
version I wouldn't get any real work done. In fact just the fact that
RedHat needs to bring out a new version almost yearly demonstrates how easy
compramises are actually found in each successive version.

Try it with redhat 6 or 7 (which many people have installed within the last
two years) and some connectivity [i.e. have some daemons running that allow
you to actually use the machine on a network]. ssh and apache are your
friends.

So are you suggesting that just becuase they have now turned services off
for default in workstation a linux machine is more secure? In reality what
it means is I cannot just plug in into my network and run it. I have to act
like a systems administrator and configure it first.

I generally do use linux machines as a gateway because I can configure them
easier. That is only because I know what the services are and how to turn
them on and off as well as how to do some other basic stuff. I know how to
turn them on and off in windows too but I don't know what they all are so
don't use it.

On the other hand I cannot see anything in the basic security models to
suggest that linux [in general] is better than windows for security nor is
there many more security / critical updates for windows than linux which
would suggest buggier code.

"Dave Uhring" wrote in message
newsan.2003.09.08.00.48.35.807084@yahoo.com...
> On Sun, 07 Sep 2003 23:50:13 +0000, User wrote:
>
> > This is crap. Try putting a stock RedHat system on the web for a few
days
> > without modifying anything after the install and see how long it takes
until
> > it is compromized!
>
> Pure nonsense from someone totally unfamiliar with Red Hat and too
> ignorant of Linux to even have executed on a fresh RH-9 installation:
>
> $ netstat -a | grep LISTEN
>
> And I don't even like Red Hat and won't use it.
>

Re: DDOS attack Microsoft

"Bill Unruh" wrote in message
news:bjfpsr$hil$1@string.physics.ubc.ca...
> ]The problem is not MS, it's the way people use the product and the
> ]complete ignorance of it's users/installers. We've been installing
>
> No, it is also MS. The latest blaster worm used a hole in the MS
> product. If you claim that it is others fault because they did not know
> about, download and install the patch, how the hell were they supposed
> to know about it, download and install it? MS did not send and email to
> all registered uses and send and email and money to all registered
> Windows dealers to contact their customers to install the patch.

Actually, you are both quite correct. In an effort to appeal to the
broadest possible market MS has concocted a stew that has a ton of bells and
whistles and nothing whatever to cause the "average" user to ask "what does
this mean?" Unfortunately in doing so they have failed to pay adequate
attention to security - things like automatically opening files when they
display in Outlook and not displaying file extensions by default. They are
finally beginning to give those things some thought (many would say too
little, too late) but even now not automatically opening files and the like
are hard to find options that you have to be aware of rather than enabled by
default.

Remember, especially in the last 6 or 7 years computer ownership has way
more than doubled and the profile of the "average" user has changed
dramatically. Almost no one has ever had the first 1/2 of a class on
computers - not how they work, not how to operate one, not even where the
any key is - and many never read the owner's manual at all. What most
people want is an "out of the box and onto the internet" solution that
functions much like a radio or TV - turn it on and it goes.

Microsoft has a big share of the blame (along with Compaq, HP, Sony etc.)
for the insecurity of its products, but much of that lies in a failure to
educate.

Re: DDOS attack Microsoft

On Mon, 08 Sep 2003 04:14:21 GMT, User wrote:
>
>
>
> "Alan Connor" wrote in message
> news:aDS6b.3063$PE6.2083@newsread3.news.pas.earthl ink.net...
>> On Mon, 8 Sep 2003 10:47:37 +1200, Max Burke wrote:
>> >
>> >
>> >> Alan Connor scribbled:
>> >
>> >>> On Sun, 07 Sep 2003 15:02:56 GMT, Leythos wrote:
>> >>> Linux is no more secure than Windows, it's just less of a target and
>> >>> has less exposure to the people that want to take down MS.
>> >>> The problem is not MS, it's the way people use the product and the
>> >>> complete ignorance of it's users/installers. We've been installing
>> >>> Windows in industrial and office locations for more than 10 years
>> >>> without a single instance of a virus or compromise in any station.
>> >>> It's all in knowing how to secure your OS, even if it's Linux, SCO,
>> >>> AIX, OS/2, Windows, etc...
>> >
>> >> The above is, simply, garbage.
>> >> UNIX-like OSs were created to do real work in the real world.
>> >
>> > No it isn't.....
>> >
>>
>>
>> Yes it is. I know LOTS of people who run linux, and they never have any
>> problems.
>>
>> I know lots of people that run M$ and they are ALWAYS having problems.
>>
>> Sorry, but I trust the evidence of my experience over any alleged evidence
>> provided by a M$ weenie.
>>
>>
>> M$ users are to computers what Bush it to terrorism:
>>
>> Their take on the subject is worthless.
>
> This kind of comment only demonstrates you perceptions and biases. Your ego
> at your ability is more than a match for windows users. Deriding others
> does not prove your point.
>

The real world proves my point. See below.

> Tell me what is inherent in the security model used in Linux that makes it
> so much better than windows NT, 2000 etc
>
>
>

Don't need to. I judge from experience and observation.

M$ users are ALWAYS having security problems, and *nix users rarely have
them.

Well, you're not going to get much of an answer from Alan, who is
irritatingly shrill and blindered. I'll give it a shot, though:

1) Linux is open-source, hence the source code may be reviewed by any
number of eyes for security holes. Granted this review isn't going
to take place automatically - it requires a group effort - but it
is at least *possible*.

2) Linux is effectively descended from Unix, and as such, it has
incorporated the concept of "there's root and there's non-root, and
most things should be done as the latter" from day one. NT/2000
are (as I understand it) effectively descended from MS-DOS/Win3.1
and VMS; the former brings with it the concept of "there's only one
user, and that user has an easy time of doing whatever he damn well
pleases-- and any programs run on that user's watch have an equally
easy time of doing whatever *they* damn well please". Yes, there is
*now* an administrator / non-administrator distinction, but it's a
relatively late-coming concept.

3) Linux is geared toward small efficient parts that build up into a
full solution. Windows is geared toward all-in-one systems; if one
part needs access to something, then the typical solution is to give
the whole system access. (Some Linux programs come under fire for
following the all-in-one approach; I think sendmail is one of them.)

Many of the issues are not inherent in the security model, but rather
arise from practices. There are competent users and administrators and
developers on both sides, but most of the *incompetent* users and
administrators and developers are using Windows (thus driving down the
average).

Windows is easy to get. (Most people get it when they buy a new
computer.) Linux takes effort to get. (Not much, though.)

Windows touts itself as easy to use. Taken to an extreme, though, this
becomes "easy to push buttons without really understanding what you're
doing, or why". (As Linux's ease of use increases, it will have to deal
with the same problem - presumably via education.)

Viruses, in particular, are pretty much a non-issue on Linux, because:

* A Linux user has to save a file, set it executable, then execute
it. An Outlook Express user just has to preview a message with the
file attached. (Okay, OE != Windows, but they're both Microsoft and
they're both very common. Yes, there's a patch, but how many users
*still* haven't applied it? Other mail readers have varying levels
of sanity in this regard.)

Yes, someone *could* write e-mail software for Linux with all the
same goofs. However, the community would quickly spot those goofs
and make a lot of noise, and so it probably wouldn't become popular
or widely used until things got fixed.

* Even if the virus gets to run, it's only going to trash that user's
files. It won't touch any other user's files, and it won't touch
system files, because it doesn't have permission to. (Any root user
who would goof up and run a virus, is probably going to goof up and
blow away the system with a typo first.)

Linux users *do* have to worry about root exploits, i.e. program bugs
that allow a non-root user to gain root access. Good Linux users keep
tabs on patches, just as good Windows users keep tabs on critical
patches from Windows Update.

* Linux encompasses a greater variety of hardware and software than
Windows. A virus that infects one flavor of Linux may have no effect
on another.

There, that should be plenty of fodder for all sides to discuss. Discuss.

Re: DDOS attack Microsoft

On Mon, 08 Sep 2003 04:34:14 GMT, User wrote:
>
> On the other hand I cannot see anything in the basic security models to
> suggest that linux [in general] is better than windows for security nor is
> there many more security / critical updates for windows than linux which
> would suggest buggier code.
>
>

Yes. I can well understand why YOU "...cannot see anything in the basic
security model.....".

Because you obviously know nothing about *nix.

Any newbie could tell you that the 'security model' in *nix begins with
the system of file ownerships and permissions.

And, perhaps, ends with tools that allow users to access
the kernel network packet handling system, commonly used to setup firewalls.
Iptables would be one of the best of these.

Should you have actually bothered to educate yourself on the matter, rather
than just posting pure garbage, you would have discovered in short order
that there are varieties of *nix that basically CANNOT be compromised, that
are typically used for firewalls. OpenBSD would be one of them.

The proof is in the pudding, as the old expression goes.

What percentage of *nix machines were compromised in the last 5 years
compared to the same figure for M$?

Re: DDOS attack Microsoft

In article , Alan
Connor wrote:
>> Tell me what is inherent in the security model used in Linux that makes it
>> so much better than windows NT, 2000 etc
>
> M$ users are ALWAYS having security problems, and *nix users rarely have
> them.
>
> No rational person needs to know more than that.

In fact, what makes a person rational is their need to know more. You give
no proof to back up your argument but gut feeling and more claims,
demanding more proof, which again you are not willing or able to give.
_That_ is not very rational.

You could give several good old Unix strengths like permissions,
kernel-level firewalling, open source code and peer review etc. etc. to
argue, but you choose to troll the MS groups instead.

Followups set, this has no substance for any of the more technical groups.

--
Juha Siltala

Re: DDOS attack Microsoft

The real world does nothing of the kind.....
>> Tell me what is inherent in the security model used in Linux that
>> makes it so much better than windows NT, 2000 etc
> Don't need to. I judge from experience and observation.

Then you have had *at best* very limited experiences, let alone any
valid observations to justify your beliefs. But then this is how
zealots behave.....
> M$ users are ALWAYS having security problems, and *nix users rarely
> have them.

BS.

Have YOU checked to see what vulnerabilities exist in OSS/Linux this
week?
Have YOU 'eyeballed' the code this week?
Have YOU patched this week?
> No rational person needs to know more than that.

Open source critics also argue that open source can lead to a false
sense of security. They say that just because the source code is
available doesn't guarantee that anyone is reading it. Nor does it mean
that all the bugs have been found and fixed. Many users install and use
open source software without ever looking at the code. They assume
someone else has already scanned it for possible vulnerabilities.
Undetected bugs have lingered in some popular open source packages for
years. This is a legitimate concern.
But make no mistake, simply being open source is no guarantee of
security.
Elias Levy, "Wide Open Source"http://online.securityfocus.com/news/19

Re: DDOS attack Microsoft

> Ed Murphy scribbled:
>> On Mon, 08 Sep 2003 04:14:21 +0000, User wrote:
> Well, you're not going to get much of an answer from Alan, who is
> irritatingly shrill and blindered. I'll give it a shot, though:
> 1) Linux is open-source, hence the source code may be reviewed by any
> number of eyes for security holes. Granted this review isn't going
> to take place automatically - it requires a group effort - but it
> is at least *possible*.

There are many benefits of open source software unrelated to security.
And the "many eyeballs" effect does have the potential to make open
source software more secure than proprietary systems. Currently,
however, the benefits open source provides in terms of security are
vastly overrated, because there isn't as much high-quality auditing as
people believe, and because many security problems are much more
difficult to find than people realize. Open source programs which appeal
to a limited audience are particularly at risk, because of the smaller
number of eyeballs looking at the code. But all open source software is
vulnerable, and the open source movement can only benefit by paying more
attention to security.http://www.earthweb.com/article/0,,1...6641_2,00.html
> 2) Linux is effectively descended from Unix, and as such, it has
> incorporated the concept of "there's root and there's non-root, and
> most things should be done as the latter" from day one. NT/2000
> are (as I understand it) effectively descended from MS-DOS/Win3.1
> and VMS; the former brings with it the concept of "there's only one
> user, and that user has an easy time of doing whatever he damn well
> pleases-- and any programs run on that user's watch have an equally
> easy time of doing whatever *they* damn well please". Yes, there
> is *now* an administrator / non-administrator distinction, but
> it's a relatively late-coming concept.
> 3) Linux is geared toward small efficient parts that build up into a
> full solution. Windows is geared toward all-in-one systems; if one
> part needs access to something, then the typical solution is to
> give the whole system access. (Some Linux programs come under
> fire for following the all-in-one approach; I think sendmail is
> one of them.)
> Many of the issues are not inherent in the security model, but rather
> arise from practices. There are competent users and administrators
> and developers on both sides, but most of the *incompetent* users and
> administrators and developers are using Windows (thus driving down the
> average).
> Windows is easy to get. (Most people get it when they buy a new
> computer.) Linux takes effort to get. (Not much, though.)
> Windows touts itself as easy to use. Taken to an extreme, though,
> this becomes "easy to push buttons without really understanding what
> you're doing, or why". (As Linux's ease of use increases, it will
> have to deal with the same problem - presumably via education.)
> Viruses, in particular, are pretty much a non-issue on Linux, because:
> * A Linux user has to save a file, set it executable, then execute
> it.

Sure there are few (if any) viruses or worms currently in the wild for
OSS/Linux.
But never say never because ALL these OSS/Linux security sites list the
exact same types of vulnerabilities and security flaws that occur
because of the bad programming practices that Microsoft gets blamed
for....
It's not because they cant exist, it's mostly because no one is
bothering to create viruses and worms to exploit these security flaws in
OSS/Linux *YET*...

Open source critics also argue that open source can lead to a false
sense of security. They say that just because the source code is
available doesn't guarantee that anyone is reading it. Nor does it mean
that all the bugs have been found and fixed. Many users install and use
open source software without ever looking at the code. They assume
someone else has already scanned it for possible vulnerabilities.
Undetected bugs have lingered in some popular open source packages for
years. This is a legitimate concern.
But make no mistake, simply being open source is no guarantee of
security.
Elias Levy, "Wide Open Source"http://online.securityfocus.com/news/19

> An Outlook Express user just has to preview a message with the
> file attached. (Okay, OE != Windows, but they're both Microsoft and
> they're both very common. Yes, there's a patch, but how many users
> *still* haven't applied it? Other mail readers have varying levels
> of sanity in this regard.)

Outlook Express running on XP is automatically run in the restricted
zone; It also automatically blocks all attachments by default; It is
easy to make ALL received, previewed, read, and sent emails and
newsgroup messages plain text as well....
It's not Microsoft's fault if users of Outlook Express then complain
that they can no longer access/view attachments, click on unknown
weblinks, or want to run unknown html code or scripts in emails that
they receive from persons unknown.....
> Yes, someone *could* write e-mail software for Linux with all the
> same goofs.

Like Sendmail?
> However, the community would quickly spot those goofs
> and make a lot of noise, and so it probably wouldn't become popular
> or widely used until things got fixed.

Yeah right.....
How come so many flaws and vulnerabilities get created in OSS/Linux in
the first place? Because of sloppy programming, and inattention to code
full of goofs...
Ref: See the links to the OSS/Linux security sites above for evidence of
that reality. Note that some of these sites update their extensive
security advisories at LEAST once a week.....
> * Even if the virus gets to run, it's only going to trash that user's
> files. It won't touch any other user's files, and it won't touch
> system files, because it doesn't have permission to. (Any root user
> who would goof up and run a virus, is probably going to goof up and
> blow away the system with a typo first.)
> Linux users *do* have to worry about root exploits, i.e. program
> bugs that allow a non-root user to gain root access. Good Linux
> users keep tabs on patches, just as good Windows users keep tabs on
> critical patches from Windows Update.
> * Linux encompasses a greater variety of hardware and software than
> Windows. A virus that infects one flavor of Linux may have no
> effect on another.
> There, that should be plenty of fodder for all sides to discuss.
> Discuss.

So here's what it does mean: Linux is a normal operating system; so is
XP. Both have bugs, some major, some minor. Anyone who tells you that
Linux is "inherently more secure" or "much less buggy" than XP simply
isn't working from current facts. The reality is that bugs happen, even
in Linux: Get over it.http://www.informationweek.com/
story 2003/01/24

Re: DDOS attack Microsoft

User wrote:
>> Yes it is. I know LOTS of people who run linux, and they never have
>> any problems.
>>
>> I know lots of people that run M$ and they are ALWAYS having
>> problems.
>>
>> Sorry, but I trust the evidence of my experience over any alleged
>> evidence provided by a M$ weenie.
>>
>>
>> M$ users are to computers what Bush it to terrorism:
>>
>> Their take on the subject is worthless.
>
>
> This kind of comment only demonstrates you perceptions and biases.
> Your ego at your ability is more than a match for windows users.
> Deriding others does not prove your point.
>
> Tell me what is inherent in the security model used in Linux that
> makes it so much better than windows NT, 2000 etc
>
I think the main thing in the security model _that is fairly obvious_ is
that users are segregated from one another by the OS so no user can
affect another (except denial of service which seldom affects security,
but causes only inconvenience) unless the affected user arranges this in
advance.

So, for example, if I download an e-mail with a virus in it and it was
targetted at UNIX or Linux machines by not being some .exe file, I might
screw myself up, but no one else. Only if I am so stupid as to run
download programs as root, including ftp, web browser, e-mail, etc.,
programs, would I be endangered. Unlike Microsoft Windows where everyone
is root all the time (at least in the systems I have seen). This may not
apply to newer versions of Microsoftware, if it can be configured to
separate users in a foolproof manner.

It _is not so obvious_, though I believe it, that in the Linux
development community, the code is not changed each year for marketing
reasons so the stuff never remains the same long enough for the bugs to
be worked out. Instead, the code is changed mainly for performance or
security reasons (exceptions, of course).

It _is a matter of faith_, to me at least, that having the code open
source means the temptation to provide security-by-obscurity is reduced,
that more eyes ensure higher level of scrutiny, etc. But while this is
true enough in principle, I do not really know if more intelligent eyes
actually scrutenize the code: I sure do not. And I doubt that the
programmers at Microsoft are stupid or anything; they are probably well
educated (academically, at least) and may be highly motivated to do good
work as well. It seems to me that the development environment there, for
marketing and perhaps legal reasons, is just not conducive to writing
good secure software.

Also, though I have not studied the Microsoft software code, it seems
reasonable to assume that the Linux code is constructed better in that
concerns are separated and information is hidden better and this tends
to reduce complexity and reduce errors. Lumping the windowing system in
with the kernel may increase speed of execution slightly, though unless
the code is deliberatly constructed to ensure high locality (reduce
working set size), this may be illusury. Gawd only knows what possible
benefit there could be by kludging the web browser in there other than
to enable violating the spirit of anti-trust rulings against the company
without, seemingly, violating the letter.

Re: DDOS attack Microsoft

"Alan Connor" wrote in message
news:dDU6b.3318$Yt.492@newsread4.news.pas.earthlin k.net...
> On Mon, 08 Sep 2003 04:34:14 GMT, User wrote:
> >
> > On the other hand I cannot see anything in the basic security models to
> > suggest that linux [in general] is better than windows for security nor
is
> > there many more security / critical updates for windows than linux which
> > would suggest buggier code.
> >
> >
>
>
> Yes. I can well understand why YOU "...cannot see anything in the basic
> security model.....".
>
>
> Because you obviously know nothing about *nix.
>
>
> Any newbie could tell you that the 'security model' in *nix begins with
> the system of file ownerships and permissions.

I guess you have just demonstrated your ignorance of NTFS.

Re: DDOS attack Microsoft

Ed Murphy wrote (in part):
> 2) Linux is effectively descended from Unix, and as such, it has
> incorporated the concept of "there's root and there's non-root, and
> most things should be done as the latter" from day one. NT/2000
> are (as I understand it) effectively descended from MS-DOS/Win3.1
> and VMS; the former brings with it the concept of "there's only one
> user, and that user has an easy time of doing whatever he damn well
> pleases-- and any programs run on that user's watch have an equally
> easy time of doing whatever *they* damn well please". Yes, there is
> *now* an administrator / non-administrator distinction, but it's a
> relatively late-coming concept.

Yes, but let us consider a recent Microsoft OS distribution, Windows XP
Home. According to "Windows XP in a Nutshell" by Karp, O'Reilly, and
Mott, page 6, Table 1-1:

Windows XP Home Windows XP Professional
User Accounts All users are administrators, Different user levels are
so there's no way to set up supported. Administrators
user accounts with limited have unrestricted control,
privileges or protect files but each user's files can
from other users. be encrypted and secured
from other users.

So unless this is an error in the book, even recent Microsoft
distributions are lacking in this respect. UNIX OS has had this feature
since the early 1970s for sure, and probably from day one (or two?).